Client address to "external" via UNIX-domain socket
Evan Hunt
each at isc.org
Sat Mar 19 18:43:43 UTC 2011
> * If this is a TCP connection then pass the
> * address of the client through for tcp-self
> * and 6to4-self otherwise pass NULL. This
> * provides weak address based authentication.
>
> Is there a reason not to change that code to pass the client's address
> irrespective of whether UDP or TCP is used?
The existing API for simple secure updates specifies that only
TCP addresses should be passed in (see also the comment on
dns_ssutable_checkrules() in lib/dns/include/dns/ssu.h). We could
change that so it always passed an address and protocol for every
update and simply ignored the UDP ones... but the potential for
foot-shooting makes me a little nervous. Can you go into more
detail about why you need this?
> Alternatively, is there a way to prevent updates over UDP?
Well, if you're using matchtype external and the policy daemon
rejects anything that doesn't send an address, that would prevent
updates over UDP, I guess...
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-workers
mailing list